Author - Abdur Rafi, CISO, ABP Pvt. Ltd., India
A series of broad attack began that spread the latest version of the WanaCryptor ransomware. This attack, also referred to as WannaCrypt or WannaCry, reportedly impacted systems of public and private organizations worldwide. The attack caused Britain's NHS to cancel surgeries, a wide array of Russian and Chinese private and public institutions to be crippled most of the day, and the rest of the world to recoil in shock.
Here's a solution : Anti-WannaCry, developed by ABP IT Security Team, in Kolkata DataCentre, India, launched on 15th May 2017.
Anti-WannaCry, is a complete framework, which not only find and remove any traces of WannaCry from the PC, but also actively stops any future infection, thus making the system immune from future Wannacry attacks.
It’s a self-contained client based solution. Its OS independent, but .NET framework version 4.5 is required.
It works based on behavioral analysis and not signature dependent. It doesn’t require any internet connectivity or updates to work properly. It is also able to work in isolated systems where no network or internet is provided.
The structure of its 360 degree protection system will cover all these:
It monitors and protects all these vectors for WannaCry related infections, and actively stops its execution and growth. (See more on : https://youtu.be/sJzeb30SwBQ)
Please download a copy yourself to evaluate from here.
(Link was provided by author, please be careful while navigating outside cisoplatform.)
What is WannaCry?
WannaCry is the latest ransomware, effecting PC’s and servers like wildfire. The functional architecture of the ransomware is shown below:
If you execute the ransomware, you can see the following files:
Dissecting Its Package - Part 1
- After execution file footprint :
- WannaCry.exe
- Tasksche.exe ( with /i switch )
- Anti-Detection/Stealthy ness:
- OpenServiceA@ADVAPI32.DLL at PID 00003256
- OpenServiceA@ADVAPI32.DLL at PID 00003256
Some interesting ransomware code snippet
Dissecting Its Package - Part 2
Features of WannaCry:
- Contains a remote desktop related string.
- Reads terminal service related keys (RDP related).
- Uses network protocols on unusual ports.
- Deletes volume snapshots.
- Disables startup repair.
- Modifies auto-execute functionality by setting/creating values in the registry.
- Spawns a lot of processes.
- Tries to suppress failures during boot (often used to hide system changes).
- Reads system information using Windows Management Instrumentation Command line (WMIC).
- Reads the active computer name.
- Reads the cryptographic machine GUID.
Dissecting Its Package - Part 3
Some of the interesting Processes interacts / executed / created by WannaCry:
- attrib.exe
- taskdl.exe
- cmd.exe with command line "cmd /c 44651494617562.bat“
- attrib.exe with command line "attrib +h +s %SAMPLEDIR%\$RECYCLE"
- cscript.exe with commandline "//nologo m.vbs"
- @WanaDecryptor@.exe with commandline "co"
- cmd.exe with commandline "/c start /b @WanaDecryptor@.exe vs"
- taskhsvc.exe with commandline "TaskData\Tor\taskhsvc.exe"
- taskse.exe with commandline "C:\@WanaDecryptor@.exe"
- http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.testing
(Kill switch for WannaCry v2.0)
Dissecting Its Package - Part 4
Some of the interesting strings found inside the source code & Memdump of WannaCry:
- !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
- https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
- \\172.16.99.5\IPC$ ( Malicious share will be opened )
- \\192.168.56.20\IPC$ ( Malicious share will be opened )
- C:\%s\qeriuwjhrf
- C:\WannaCrya.exe
- C@GW?M[3
- cmd.exe /c "%s"
- CryptImportKey
- DisableLocalOverride
- DisablePassport
- diskpart.exe
- GetAdaptersInfo
- GetCommandLineA
- GetComputerNameW
- GetCPInfo
- GetCurrentProcess
- GetCurrentProcessId
- GetExitCodeProcess
- GetLastError
- GetNativeSystemInfo
Comments